Sign authentication requests from Service Provider

[mrajashree]

Is this implemented? Looking at how this line sets authnRequestsSigned to false by default, I don't think it is, but I wanted to confirm.

[peterdeka]

This should be definetly addressed

[crewjam]

Correct, we don't currently sign authentication requests. A PR would be most welcome. :)

Note: I'm in the process of catching up with this library after a period of
unfortunate neglect due to other professional obligations in the meantime.
I'm terribly sorry for the delay in addressing this issue.

[baloo32]

Can we re-open this - an IdP we are now integrating with requires signing of the Authn Request...

I can get some resource to work on this, but tbh not sure where we should start...

Any initial guidance welcome, but we can create the necessary code in our fork then open a PR for this once confirmed working!

[crewjam]

I'm happy to reopen if there is still interest.

I note that in service_provider.go, in both AuthnRequest.Post and AuthnRequest.Redirect where we serialize the AuthnRequest by calling AuthnRequest.Element().

Before serializing, we need to transform the returned *etree.Element by adding a signature. This is along the lines of what we do in IdpAuthnRequest.MakeAssertionEl.

Hope that helps, PRs would be most welcome.

[baloo32]

Great - will get some dev resource on it.

I note we will also need to check the
<IDPSSODescriptor WantAuthnRequestsSigned="true"... to only sign if requested...

[trajche]

@baloo32 Have you made any progress with this one?

[baloo32]

@baloo32 Have you made any progress with this one?

Afraid the resources I had working on it were reallocated then with Covid I don't have any to continue work on it.

It's still in our backlog and I hope to get back onto it as soon as the engineers return from furlough. If you want to close, we can reopen an issue once work restarts.